通常入侵檢測(cè)系統(tǒng)在一旦發(fā)現(xiàn)有入侵跡象時(shí)便發(fā)出警報(bào)，但許多入侵攻擊最終是不能
成功的或者說(shuō)并不能給系統(tǒng)或網(wǎng)絡(luò)造成危害，所以相應(yīng)的警報(bào)屬于無(wú)效警報(bào)，而正是大量無(wú)效警報(bào)的存在使得入侵檢測(cè)系統(tǒng)有著較高的誤報(bào)率。在本文中，針對(duì)網(wǎng)絡(luò)型誤用入侵檢測(cè)系統(tǒng)建立了一種新的警報(bào)過(guò)濾機(jī)制，此機(jī)制通過(guò)安全掃描系統(tǒng)建立起一個(gè)本網(wǎng)絡(luò)的漏洞數(shù)據(jù)庫(kù)，由于一種網(wǎng)絡(luò)攻擊一般都是針對(duì)一個(gè)或多個(gè)程序漏洞的，當(dāng)入侵檢測(cè)系統(tǒng)發(fā)現(xiàn)可疑入侵時(shí)，找出攻擊成功時(shí)所需存在的漏洞，并依據(jù)漏洞數(shù)據(jù)庫(kù)加以實(shí)時(shí)確認(rèn)此漏洞是否存在，若不存在，則只是記入日志而不發(fā)出警報(bào)，從而過(guò)濾無(wú)效警報(bào)的產(chǎn)生。實(shí)驗(yàn)結(jié)果證明，本文提出的警報(bào)過(guò)濾機(jī)制可以有效的降低誤報(bào)率。
關(guān)鍵詞 入侵檢測(cè)安全掃描漏洞數(shù)據(jù)庫(kù)警報(bào)過(guò)濾 降低誤報(bào)率
Abstract:One problem is the fact that intrusion detection systems are often run without any (orvery limited) information of the network resources that they protect.Althorugh tuning and proper configuration may eliminate the most obvious spurious alerts,the problem of the vast imbalance between actual and false alerts remains. This paper proposes an alert filtering scheme to reduce the false rate of intrusion detection systems.With the security scan system the scheme sets up a hole database of the protected network,against which a preliminarily recognized attack threat can be verified in determining if the attack may really succeed before it is reported.Expreiment result shows with the filtering scheme the false rate of intrusion detection systems obviously reduced.
Keywords: intrusion detection,security scan,hole database,alert filtering,false alert reduction